Opened 8 years ago

Closed 8 years ago

Last modified 3 years ago

#13136 closed patch (fixed)

Segfault with unexpected jingle transport type

Reported by: nikita Owned by: darkrain42
Milestone: 2.7.10 Component: Voice and Video
Version: 2.7.9 Keywords: jingle invalid transport segfault
Cc:

Description

Hello,

When libpurple receive an incoming jingle request with an unexpected jingle transport type, it crash.

Here is the backtrace :

(gdb) bt full
#0  0x00007fa0d9e16ba5 in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
        pid = <value optimized out>
        selftid = <value optimized out>
#1  0x00007fa0d9e1a6b0 in abort () at abort.c:92
        act = {__sigaction_handler = {sa_handler = 0x1000000020, sa_sigaction = 0x1000000020}, sa_mask = {__val = {0, 4662085, 140735345723504, 0, 140328852244520, 140328826739536, 140328920107400, 140735345724640, 4294967295, 1, 1, 
              7405168, 0, 48728150, 1, 0}}, sa_flags = -548316559, sa_restorer = 0x1}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x00000000004982f7 in sighandler (sig=11) at gtkmain.c:191
        written = 140735345724144
#3  <signal handler called>
No symbol table info available.
#4  0x00007fa0cd6dd7db in jingle_transport_parse (transport=0x30b14e0) at jingle/transport.c:163
        type = 0x30aec60 "http://www.xmpp.org/extensions/xep-0177.html#ns"
#5  0x00007fa0cd6d709d in jingle_content_parse_internal (content=0x30b1680) at jingle/content.c:386
        description = 0x30b1700
        type = 0x30b1a90 "urn:xmpp:jingle:apps:rtp:1"
        creator = 0x30b15e0 "initiator"
        disposition = 0x0
        senders = 0x0
        name = 0x30b1540 "Microphone"
        transport = 0x7fa0db848148
#6  0x00007fa0cd6db048 in jingle_rtp_parse_internal (rtp=0x30b1680) at jingle/rtp.c:685
        content = 0x30680d0
        description = 0x0
        media_type = 0x0
        ssrc = 0x7fff804a0ee0 "\020\017J\200\377\177"
#7  0x00007fa0cd6d7163 in jingle_content_parse (content=0x30b1680) at jingle/content.c:403
        type = 0x30b1a90 "urn:xmpp:jingle:apps:rtp:1"
        jingle_type = 50884208
#8  0x00007fa0cd6d57d7 in jingle_handle_session_initiate (session=0x2ed14c0, jingle=0x30b1be0) at jingle/jingle.c:234
        parsed_content = 0x1d6f660
        content = 0x30b1680
#9  0x00007fa0cd6d5e4d in jingle_parse (js=0x2e1a560, from=0x30b1950 "test3@elyzion.net/Beem", type=JABBER_IQ_SET, id=0x30b1d90 "zl22h-42", jingle=0x30b1be0) at jingle/jingle.c:426
        action = 0x30b16e0 "session-initiate"
        sid = 0x30b1760 "6643120236470425030"
        action_type = JINGLE_SESSION_INITIATE
        session = 0x2ed14c0
#10 0x00007fa0cd6c8cf7 in jabber_iq_parse (js=0x2e1a560, packet=0x3080ed0) at iq.c:380
        key = 0x30afcc0 "`_\004\003"
        jih = 0x7fa0cd6d5c91 <jingle_parse>
        signal_ref = 0
        jcd = 0x0
        child = 0x30b1be0
        error = 0x0
        x = 0x0
        xmlns = 0x30b1b40 "urn:xmpp:jingle:1"
        iq_type = 0x30b1c60 "set"
        id = 0x30b1d90 "zl22h-42"
        from = 0x30b1950 "test3@elyzion.net/Beem"
        type = JABBER_IQ_SET
        signal_return = 0

Of course in my backtrace "http://www.xmpp.org/extensions/xep-0177.html#ns" is an invalid type, but libpurple will segfault because of it.

I have also attached a small patch that I hope fix this issue.

PS: I want to precise that the bug occur only if libpurple is configured with --enabled-vv, but the plugin don't need to be loaded for reproducing the issue.

Attachments (2)

jingle_transport.patch (1.6 KB) - added by nikita 8 years ago.
fix
jingle_transport_2.patch (2.3 KB) - added by nikita 8 years ago.
new patch

Download all attachments as: .zip

Change History (14)

Changed 8 years ago by nikita

fix

comment:1 Changed 8 years ago by Robby

  • Milestone set to Patches Needing Review

comment:2 Changed 8 years ago by rekkanoryo

  • Type changed from defect to patch

comment:3 Changed 8 years ago by nikita

If someone want to test the patch, I can help by sending him some custom jingle requests.

comment:4 Changed 8 years ago by rekkanoryo

  • Milestone changed from Patches Needing Review to 2.7.10
  • Owner changed from Maiku to darkrain42

comment:5 follow-up: Changed 8 years ago by darkrain42

This patch is mostly correct. xmlnode_get_namespace can return NULL, so that needs to be handled (preferably in jingle_get_type)

comment:6 Changed 8 years ago by darkrain42

nikita, what name and email address should you be credited with?

Changed 8 years ago by nikita

new patch

comment:7 in reply to: ↑ 5 Changed 8 years ago by nikita

Replying to darkrain42:

This patch is mostly correct. xmlnode_get_namespace can return NULL, so that needs to be handled (preferably in jingle_get_type)

Of course you are right, I have attached a new patch since I don't know if you wanted me to correct it. If not, sorry for the disturbance.

Replying to darkrain42:

nikita, what name and email address should you be credited with?

Nikita Kozlov <nikita at beem-project dot com>

Thank you

comment:8 Changed 8 years ago by darkrain42

My original comment said "I don't expect you to fix it", and it was mostly a reminder to myself that there was a second issue, but thank you for correcting it.

comment:9 Changed 8 years ago by darkrain42

*original comment which got eaten by a browser timeout

comment:10 Changed 8 years ago by nikita@…

  • Resolution set to fixed
  • Status changed from new to closed

(In 93f493d9c4d925a042e4b9d0211388ad38c9b92c):
Don't crash on invalid/unexpected jingle transport types. Fixes #13136.

comment:11 Changed 8 years ago by rekkanoryo@…

(In 7d1d85421a7221e67b586df32625c65c1434f195):
Credit Nikita appropriately. Refs #13136.

comment:12 Changed 3 years ago by dx

Ticket #14665 has been marked as a duplicate of this ticket.

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!